An adequate logic for Full LOTOS

Calder, M. and Maharaj, S. and Shankland, C. (2001) An adequate logic for full LOTOS. Lecture Notes in Computer Science 2021:pp. 384-395. http://eprints.gla.ac.uk/2873/ Glasgow ePrints Service http://eprints.gla.ac.uk An Adequate Logic for Full LOTOS Muy Calder1, Savi Maharaj2, and Carron Shankland2 Department of Computing Science, University of Glasgow, Glasgow G12 8QQ, UK 1 2 muffy@dcs.gla.ac.uk Department of Computing Science and Mathematics, University of Stirling, Stirling FK9 4LA, UK fsavi,carrong@cs.stir.ac.uk Abstract. We present a novel result for a logic for symbolic transition systems based on LOTOS processes. The logic is adequate with respect to bisimulation de ned on symbolic transition systems. 1 Introduction LOTOS 12] is a popular process description language that has been in use for well over a decade. With the aid of a number of mature veri cation tools, it has been successfully applied in a number of domains, including protocols and services 17], distributed systems 23, 16], and as a semantics for higher level languages such as feature descriptions 22] and use-case maps 1]. A particularly distinctive feature of LOTOS is that it includes a rich set of operators for describing both process control and data, which may in turn aect control. However, much of the foundational work, and subsequently the veri cation tools, has ignored all, or parts, of the data aspect of the language. Speci cally, there is no logic for reasoning about LOTOS processes with unconstrained data. This is a serious drawback since it has long been recognised that a more abstract, temporal logic is essential for describing and checking desired (or undesired) properties of processes 11]. Indeed, experience with case studies 21, 19, 20, 17] has shown the bene ts of having data in the process description language and the need to express properties of a system in terms of data, as well as actions. Often the properties refer to data, but symbolically, rather than mentioning particular instances. For example, in the classical comparator one such property is if process Comp inputs x and y on channel in, and x and y are equivalent, then eventually it will output true on channel out. There has been a good reason to avoid dealing with data properly: in LOTOS, data introduces in nite branching into the underlying state transition systems. For example, the simple process g?x:Nat exit results in an in nite choice, one for each member of Nat. This presents a serious obstacle to reasoning, particularly to approaches based on ( nite) model-checking. Therefore existing approaches have been restricted to Basic LOTOS 13], or LOTOS with only nite data types 6]. Our aim is to provide a complete approach to data. In order to do so, we base our logic on a new semantics for LOTOS which is nitely branching. This is achieved by having a symbolic treatment of data the underlying state transition systems are therefore called symbolic state transition systems (STSs). Our work is heavily inuenced by the symbolic transition systems and logic developed by Hennessy, Lin and Liu for CCS 9, 10]. However, it is signi cantly dierent because of the special characteristics of the STSs that result from LOTOS. These derive from the three (related) features that distinguish LOTOS from most other process algebras: multi-way (broadcast) synchronisation, value negotiation, and selection predicates. Together, these features make the de nition of the similar concepts of symbolic transition, bisimulation and logic, non-trivial. 1.1 Related Work A symbolic approach to message passing CCS is presented in 9] and a related logic in 10]. We adopt the theory of symbolic transition systems here, but the logic is not so useful for our applications. The logic of Hennessy and Liu is based on a late semantics, whereas we adopt an early semantics because the standard de nition of LOTOS 12] is also early. (The late and early classi cation relates to binding time of variables to values.) In addition, the modal operators de ned rely on the classical CCS distinction between ! and ? data oers (i.e. as corresponding to output and input events). In LOTOS the distinction between these two kinds of data oers is not so clear cut. The logic does have the advantage that it is based on symbolic transition systems, and therefore places no arti cial restrictions on data values. CRL 8] is, like LOTOS, a process algebra with data. In 7] an extension of the modal mu-calculus 14] is presented which includes quanti cation over data in the modal operators. The semantics of the logic is over labelled transition systems and therefore is subject to the usual problems of state explosion. The focus of their research is on proof rules for the logic rather than adequacy with respect to some equivalence over CRL processes. The CADP toolkit 6] provides a number of tools to analyse Full LOTOS speci cations, two of which use logic to provide an abstract description of system properties. The tool evaluator takes an alternation free modal mu-calculus 14] formula and assesses its truth with respect to a LOTOS expression. The modal operators are extended to allow more exibility in dealing with actions with data, for example, precise actions or Unix regular expressions can be matched. However, it is not possible to state general predicates on data, such as input a value which is less than 42 but more than 3. The action formulae of this logic treat the values as syntactic entities only, whereas we provide the ability to reason about their semantics too. Also part of the CADP toolkit is XTL 15]. This is an executable temporal language which describes computations over transitions. XTL allows a more general treatment of data actions than the evaluator. For example, variables over data can be declared and matched with actions, and operations over data in the LOTOS source can also be used in the logic. Various logics can be encoded in XTL in fact, we have encoded a restricted form of the logic presented in this paper in XTL and carried out some limited examples. Two important disadvantages of XTL are that the underlying semantics of labelled transition systems is concrete (i.e. fully instantiated) and that CADP must impose niteness restrictions on the data types of the language to obtain tractability. So, any logic encoded by XTL cannot handle Full LOTOS eectively or accurately. 1.2 Structure of the Paper The structure of the rest of this paper is as follows. In Section 2 we introduce the idea of a symbolic transition system, describe how this has had to be adapted for LOTOS, and explain the problem of de ning substitution and how this is solved. In Section 3 we present the syntax and semantics of a modal logic called FULL. In Section 4 we give an alternative characterisation of the equivalence induced by the logic by showing that it coincides with bisimulation on symbolic transition systems. Finally, we discuss further work and conclude in Section 5. 2 Symbolic Transition Systems The standard semantics of LOTOS 12] (labelled transition systems) hard codes concrete data values into the transitions. For example, g!0 P oers the single transition labelled g0], while g?x:Nat P oers the transitions labelled by g0], gsucc(0)], gsucc(succ(0))], (Fig. 1). Thus, event oers of more than one value (i.e. ? oers) correspond to a (possibly in nite) choice over all values of the data type. While this makes the semantics of certain language ::: g?x:Nat;P g0 g1 Fig. 1. g2 gn ... ... Standard semantics of g?x:Nat event o er features easier to describe (particularly multiway synchronisation), it makes reasoning about speci cations more dicult since transition systems are typically in nite. Existing tools such as CADP 6] deal with this problem by imposing niteness restrictions on data types, limiting the natural numbers, for example, to a maximum of 256. An alternative solution is to restate the semantics of the language in a form which exposes the commonalities of actions and the nitary nature of the process speci cation. This can be done by basing the semantics on symbolic transition systems (STSs). These are essentially transition systems whose transitions can have free variables in the data label and are additionally labelled with a transition condition representing the conditions under which that transition is available. This approach was rst introduced in 9] which gave a symbolic semantics for value passing CCS. In our research 4, 3], we have been adapting this theory for use with LOTOS. There are signi cant dierences between LOTOS and value passing CCS which mean that this adaptation is not straightforward. One dierence is that input events in CCS are always unconstrained and there is no analogue of the selection predicates which can be used in LOTOS to restrict the values passed in a ? event. For example, LOTOS allows events such as g?x x > 3] meaning, input an x which is bigger than 3. This means that the transition conditions in the LOTOS semantics need to be able to talk about the data associated with the current transition, whereas in CCS these are concerned only with previous transitions. Another dierence is that in order to implement multi-way synchronisation LOTOS permits synchronisation between any combination of ? and ! events, whereas in CCS an input event (?) can synchronise only with an output action (!). This means that the distinction between ? and ! is much less signi cant in LOTOS than it is in CCS. Essentially, a ! event is associated with an expression using constants and \known" variables while a ? event introduces a new variable. We have found it convenient to remove the !/? distinction from the syntax of data expressions in STSs. We shall still need to be able to tell when a transition introduces a new variable, but this will be determined by comparing the transition's data expression with the free variables of the source of the transition. We shall assume that we have a countable set of variables, Var, ranged over by x, y, etc., and a (possibly in nite) set of values, Val, ranged over by v . We also assume a set of data expressions, Exp, which includes Var and Val and is ranged over by E , and a set of boolean expressions, BoolExp, ranged over by b . We also assume that we have a set of gates, G, ranged over by g . The set of simple events, SimpleEv, ranged over by a , is de ned as G fi, g. (Recall that in LOTOS i is the internal event and  is the special event which takes place when a process is exited.) The set of structured events, StructEv contains all gate-expression combinations gE , as well as all combinations E . Since the two kinds of structured events are handled exactly the same, we shall generally ignore  in this paper, treating it as if it were a member of G. For simplicity, we do not allow structured events consisting of multiple data expressions only singleton data oers are allowed. It is possible, but tedious, to extend our analysis to the case of multiple data oers. Basically, an STS is a directed graph whose nodes are tagged with sets of free variables, and whose branches are labelled with a boolean condition and an event. Formally, the de nition of STS is as follows: Denition 1. (Symbolic Transition Systems) A symbolic transition system consists of: { a set of states, containing a distinguished initial state, T0 , with each state T tagged with a set of free variables, denoted fv (T ). -T, where  2 SimpleEv StructEv and b is a Boolean expression and fv (T )  fv (T ) fv () and fv (b )  fv (T ) fv () and #(fv () ; fv (T ))  1 { a set of transitions written as T b 0 0 Following convention, we shall often identify an STS with its initial state. For example, the set of free variables of an STS S , fv (S ), is de ned as the set of free variables of the initial state of S . A set of rules presented in 4] de ne how a symbolic transition system may be constructed from a LOTOS process expression. The resulting transition system is typically a cyclic graph (if recursive processes are involved) and is always of nite width (since only a nite number of branches may be described in a LOTOS process). This paper is concerned with STSs rather than LOTOS processes, though we shall use LOTOS syntax to describe examples. 2.1 Substitution In the following section we present a logic on symbolic transition systems. Before we can do this, however, we must consider the question of how to de ne substitution on STSs. It is not possible to de ne a straightforward syntactic substitution on STSs because of the presence of cycles (such as might arise from recursive processes). Buff output x tt Buff tt input x Buff’ Fig. 2. tt output x [3/x] input x[3/x] tt Buff’[3/x] Failed substitution on Buff STS Consider, for example, the simple buer Buff = input?x:Nat output!x The STS which corresponds to Buff is shown in Figure 2. If the rst action taken by this process is to input the value 3, then the x at the output gate must also be tied to that value. Since Buff is recursive, we expect that the next time round the loop a dierent value may be input, and therefore a dierent substitution must be applied. However, if we simply substitute 3 for x in the STS, as shown in Figure 2, we fail to capture this possibility. In 9], this problem is solved by introducing the concept of a \term": a node in a symbolic transition system paired with a substitution. The same solution can be adapted for LOTOS. Formally, a substitution is a partial function from Var to Var Val and a term consists of an STS, T , paired with a substitution,  such Buff. that domain ( )  fv (T ). We use t and u to range over terms. For example, since  Buff is closed, it can be paired only with the empty substitution to form the term Buff ] . The substitution is applied step by step, when necessary, as explained in the rules for transitions between terms (Figure 2). For example, below are some possible transitions starting from the term Buff ] . The substitutions capture the fact that the variable x is discarded and then bound afresh upon each pass through the loop, making it possible to process a dierent value during each pass. Buff ] tt Buff'z 1=x ] Buff ] tt - Buff' z =x z- Buff z - Buff' z =x input z 1 tt output 1  1 ] ] and so on. The de nition of free variables is extended to terms in the obvious way. Terms, rather than STSs, are used as the basis for de ning the logic and bisimulation. Denition 2. Transitions on Terms T b a - T implies T b a- T gE - T T b gE- T implies T b  where fv (E )  fv (T ) T b gx- T implies T bz =x ] gz- T z =x ] where x 62 fv (T ) and z 62 fv (T ) In all cases, = fv (T ) C , that is, the restriction of to include only domain elements in the set fv (T ). input 2  2 ] 0  0 0 0 0 0 0 0 0   0 0 0 3 The Modal Logic FULL In this section we present the syntax and semantics of a modal logic de ned over symbolic transition systems. The logic is called Full LOTOS Logic (FULL) and is inspired by the HML presented in 18] and the data extended logic presented in 10]. The logic and the design considerations driving the choice of operators are described fully in 3] here we simply give the syntax and semantics without discussion. FULL is made up of two parts. The rst set of formulae, ranged over by , applies to closed terms. The second set, ranged over by , is to be used for terms with a single free variable, as would arise from a LOTOS process with a single parameter. (The extension to multiple free variables is straightforward but tedious and is therefore omitted). Denition 3. (Syntax of FULL) ::= b j 1 ^ 2 j 1 _ 2 j a ] j ha i j h9x g i j h8x g i j 9x g ] j 8x g ] ::= 9x j 8x        :    :     (Semantics of FULL) Given any closed term t, the semantics of t j=  is given by: t j= b = b tt t j= 1 ^ 2 = t j= 1 and t j= 2 t j= 1 _ 2 = t j= 1 or t j= 2 t j= ha i = there is a t s.t. t tt a - t and t j=  t j= a ] = whenever t tt a - t then t j=  t j= h9x g i = for some value v, either for some t , t tt gv- t and t j= v =x ] or for some t , t b gz- t and b v =z ] tt and tv =z ] j= v =x ] t j= h8x g i = for all values v, either for some t , t tt gv- t and t j= v =x ] or for some t , t b gz- t and b v =z ] tt and tv =z ] j= v =x ] t j= 9x g ] = for some value v, whenever t tt gv- t then t j= v =x ] and whenever t b gz- t and b v =z ] tt then tv =z ] j= v =x ] t j= 8x g ] = for all values v, whenever t tt gv- t then t j= v =x ] and whenever t b gz- t and b v =z ] tt then tv =z ] j= v =x ] Given any term t with one free variable z the semantics of t j=  is given by: t j= 9x : = there is some value v such that tv =z ] j= v =x ] t j= 8x : = for all values v, tv =z ] j= v =x ] Denition 4. 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A property of FULL is that for every formula it is possible to construct the negation, neg , of that formula. (We assume that negation is available in the underlying language of boolean expressions.) For example, neg (8x g ] ) is h9x g ineg ( ). To each formula in FULL is associated a depth, n , which is de ned in the obvious inductive way.   4 Bisimulation and Adequacy of FULL In developing the logic FULL we were motivated by two goals. The rst was to develop a logic which allowed properties concerning data to be expressed in a natural way. The second was to ensure that the logic was adequate with respect to other notions of equivalence between processes, in the sense that equivalent processes should satisfy the same set of logical formulae. One important relationship between processes is that of bisimulation. In this section we show how bisimulation is de ned upon terms and prove that FULL is adequate with respect to bisimulation. We shall assume we have a function new (t u ) which, given two terms t and u , returns a variable which is not among the free variables of either t or u . Denition 5. Bisimulation on terms Given two closed terms t and u, 1. t 0 u 2. for all n > 0, t n u provided that: (a) (simple event) whenever t tt a- t , then for some u , u tt a- u and t n 1 u (b) (structured event, no new variable) whenever t tt gv- t , then either for some u , u tt gv- u and t n 1 u or for some u , u b gz- u and bu v =z ] tt and t n 1 uv =z ] , where z = new (t u ). (c) (structured event, new variable) whenever t b gz- t , where z = new (t u ), then, for all v s.t. bt v =z ] tt, either for some u , u tt gv- u and tv =z ] n 1 u or for some u , u b gz- u and bu v =z ] tt and tv =z ] n 1 uv =z ]. (d), (e), (f) Symmetrically, the transitions of u must be matched by t. Given two terms t and u with free variables fx g and fy g, respectively, t n u provided that for all values v, tv =x ] n uv =y ]. The four theorems which follow show that FULL is adequate with respect to bisimulation. Theorems 1 and 2 give the result for closed terms, and are then used to prove the result for terms of one free variable (Theorems 3 and 4). Theorem 1. (FULL distinguishes non-bisimilar closed terms) For all n, for all closed terms t and u, if t =n u then there is a formula  such that t j=  and u j==  Proof The proof is by induction on n. If n = 0 then the result is vacuously true. In the case where n > 0, we examine all the ways in which bisimulation can fail and, in each case, construct a formula which is satis ed by t but not by u. We shall illustrate the construction by showing the case where rule (c) of De nition 5 fails. The other cases are simpler and are omitted. If rule (c) fails, then there is a transition t b gz- t , where z = new (t u ), but there is some value v such that bt v =z ] tt and for all transitions of the form u tt gv- u , tv =z ] =n 1 u , and for all transitions of the form u b gz- u where 0 0 0 0 ; 0 0 0 0 ; 0 0 0 u 0 0 0 ; 0 0 t 0 ; 0 0 0 ; 0 u t 0 0 0 0 ; 0 u 0 0 bu v =z ] tt, tv =z ] =n 1uv =z ] . Suppose that that there are k of the rst kind of transition and m of the second kind, where k and m are natural numbers. Then, by the induction hypothesis, each of the ui s of the rst kind can be distinguished from tv =z ] by some formula i , and for each of the ui s of the second kind, there is a formula i which distinguishes tv =z ] from V ui v =z ] . Then, V t and u can be distinguished by the formula 9g x ](x = v ) ^ f1 :::k g ^ f 1 ::: m g. 0 0 ; 0 0 0 0 0 Theorem 2. (Bisimilar closed terms satisfy the same formulae) For all n, for all closed terms t and u, if t n u then, for all formulae such that depth  n, t j if and only if u j . Proof The proof is by induction on n. If n , then the formula must be of depth , and must therefore be a simple boolean b. By the semantics of FULL, it is clear that for any t and u, t j b i u j b.  =  () =  = 0  0 = = In the case where n > 0, we take any t and u and assume that t n u. We must show that for all formulae  such that depth ()  n, t j=  if and only if u j= . This is done by induction on the structure of . There are 9 cases to consider. We illustrate the arguments used by showing one of the most complex cases: Consider the case where  is of the form 8x g ] . Suppose that t j= . Then, by the semantics of FULL, for all values v, whenever there is a t such that t tt gv- t then t j=  v =x ], and whenever there is a t such that t b gz- t (for some new variable z) and bt v =z ] tt then tv =z ] j=  v =x ]. We must show that u j= . Take any value v. We must consider all u transitions on v. These can be of two kinds: Case (1) Suppose there is a transition of the form u tt gv- u . By bisimilarity, this is matched by a t transition. There are two possibilities. The matching transition may be of the form t tt gv- t , where t n 1 u . Then, we know that t j=  v =x ] and, by the main induction hypothesis, we get that u j=  v =x ]. The matching transition may be of the form t b gz- t , where z = new (t u ) and bt v =z ] tt and tv =z ] n 1 u . Then, we know that tv =z ] j=  v =x ] and, by the main induction hypothesis, we get that u j=  v =x ]. Case (2) Suppose there is a transition of the form u b gz- u , (for some fresh z) and bu v =z ] tt. We wish to show that uv =z ] j=  v =x ]. Now, since z is fresh, we can replace z by z where z = new (t u ). In other words, we are looking instead at the transition u b z =z ] gz- uz =z ] . For this transition, we get that bu v =z ] tt. And, we need to show that uv =z ] j=  v =x ]. By bisimilarity, this transition is matched by a t transition. There are two possibilities. The matching transition may be of the form t tt gv- t , where t n 1 uv =z ] . Then, we know that t j=  v =x ] and, by the main induction hypothesis, we get that uv =z ] j=  v =x ]. 0 0 0 0 0 0 0 t 0 0 0 0 0 0 0 0 0 t 0 0 ; 0 0 0 0 0 u 0 0 0 0 0 u 0 0 0 0 0 0 0 0 0 0 0 ; 0 0 0 0 0 ; 0 0 The matching transition may be of the form t b gz- t , where bt v =z ] tt and tv =z ] n 1 uv =z ] . Then, we know that tv =z ] j=  v =x ] and, by the main induction hypothesis, we get that uv =z ] j=  v =x ]. t 0 0 0 ; 0 0 0 0 0 0 0 0 0 0 Theorem 3. (FULL distinguishes non-bisimilar open terms) For all n, for all terms t and u with one free variable, if t n u then there is a formula such that t j= and u j= . Proof Suppose that the free variables of t and u are z1 and z2, respectively. Since t n u, then there is some value v such that tv =z1 ] n Uv =z2 ]. By Theorem 1 there is then a formula such that tv =z1] j= but uv =z2 ] j= . We construct the formula = 8 x (x = 6 v ) _ . Then, t j= but u j= . Theorem 4. (Bisimilar open terms satisfy the same formulae) For all n, for all terms t and u with one free variable, if t n u then, for all such that depth ( )  n, t j= if and only if u j= . Proof This is a straightforward consequence of Theorem 2. =   =  = =   :    =  =    5   Further Work The results presented in this paper provide a foundation upon which to build a system for verifying properties of speci cations in Full LOTOS. In this section we discuss the further work, both theoretical and practical, which needs to be done to realise this goal. Extensions of the Logic The logic we have developed is relatively sparse, and there are several useful ways in which it could be extended and made more expressive. However, care must be taken to ensure that this is not done at the expense of adequacy. Two important features which we intend to focus upon are ways of handling multi-sorted data, and xpoint operators to handle recursion. User-de ned algebraic datatypes are an important and heavily used feature of LOTOS so it is essential to extend FULL to deal in some way with multiple data types. One obvious way of doing this is to encode types as predicates over values. The details of this need to be worked out and alternative solutions explored. Recursion is another heavily-used feature of LOTOS, and the usefulness of FULL would be signi cantly enhanced by the addition of xpoint operators for reasoning about recursive or in nitary behaviour. This is a topic which has been much studied in the theory of concurrency and we hope to be able to adapt existing solutions to the needs of LOTOS. Further Theoretical Analysis Some areas of the theory underlying symbolic transition systems for LOTOS are as yet incomplete. For example, the relationship between our symbolic semantics and the standard semantics of LOTOS has not yet been fully analyzed. We conjecture that the two semantics coincide for closed terms, in the sense that bisimilar terms in the symbolic semantics correspond to bisimilar processes in the standard semantics. The details of this remain to be checked. Another interesting area of study is symbolic bisimulation. The bisimulation presented in this paper is of limited practical use because it requires a possibly in nite number of values to be examined (cf rules 2(c) and 2(f) of De nition 5). This problem can be solved by turning to symbolic bisimulation, as introduced in 9]. Symbolic bisimulation solves the problem of in nite values by dividing the value space that must be examined into a nite number of partitions described by boolean expressions. We have de ned symbolic bisimulation for LOTOS 4] and are working on its theoretical underpinnings and the development of a bisimulation-checking tool to support it. Algorithms and Tools The eventual goal of this research is the development of tools to support reasoning about speci cations in Full LOTOS. Work is in progress on the development of algorithms for reasoning within FULL. In tandem with this, there is also work on the implementation of tools to support reasoning in FULL. At the present time, a restricted version of the logic has been implemented in CADP. The logic is also being implemented in the Ergo theorem prover 2] and in the Maude system 5]. Acknowledgement. The authors would like to thank the Engineering and Physical Sciences Research Council and the Nu eld Foundation Newly Appointed Lecturer scheme for supporting this research. References 1. D. Amyot, L. Char et al. Feature Description and Feature Interaction Analysis with Use Case Maps and LOTOS. In M. Calder and E. Magill, editors, Feature Interactions in Telecommunications and Software Systems VI. IOS Press, May 2000. 2. H. Becht, A. Bloesch et al. Ergo 4.1 Reference Manual. Technical Report 9631, Software Veri cation Research Centre, University of Queensland, Australia, November 1996 3. M. Calder, S. Maharaj, and C. Shankland. A Modal Logic for Early Symbolic Transition Systems. The Computer Journal, 2001. To appear. 4. M. Calder and C. Shankland. A Symbolic Semantics and Bisimulation for Full LOTOS. To appear as a University of Stirling Technical Report, 2000. 5. M. Clavel, F. Duran et al. Maude: Speci cation and Programming in Rewriting Logic. Maude System documentation. Computer Science Laboratory, SRI, Menlo Park, California, March 1999. 6. J-C. Fernandez, H. Garavel et al. CADP (CAESAR/ALDEBARAN Development Package): A Protocol Validation and Veri cation Toolbox. In R. Alur and T.A. Henzinger, editors, Proceedings of CAV'96, number 1102 in Lecture Notes in Computer Science, pages 437{440. Springer-Verlag, 1996. 7. J.F. Groote and R. Mateescu. Veri cation of Temporal Properties of Processes in a Setting with Data. In Proceedings of the 7th International Conference on Algebraic 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. Methodology and Software Technology AMAST'98, Amazonia, Brazil, volume 1548 of Lecture Notes in Computer Science, pages 74{90, 1999. J.F. Groote and A. Ponse. The Syntax and Semantics of -CRL. In Proceedings of Algebra of Communicating Processes, Utrecht 1994, Workshops in Computing. Springer-Verlag, 1995. M. Hennessy and H. Lin. Symbolic Bisimulations. Theoretical Computer Science, 138:353{389, 1995. M. Hennessy and X. Liu. A Modal Logic for Message Passing Processes. Acta Informatica, 32:375{393, 1995. M. Hennessy and R. Milner. Algebraic Laws for Nondeterminism and Concurrency. Journal of the Association for Computing Machinery, 32(1):137{161, 1985. International Organisation for Standardisation. Information Processing Systems | Open Systems Interconnection | LOTOS | A Formal Description Technique Based on the Temporal Ordering of Observational Behaviour, 1988. C. Kirkwood. Specifying Properties of Basic LOTOS Processes Using Temporal Logic. In G. v Bochmann, R. Dssouli, and O. Ra q, editors, Formal Description Techniques, VIII, IFIP. Chapman Hall, April 1996. D. Kozen. Results on the Propositional -Calculus. Theoretical Computer Science, 27:333{354, 1983. R. Mateescu and H. Garavel. XTL: A Meta-Language and Tool for Temporal Logic Model-Checking. In Proceedings of the International Workshop on Software Tools for Technology Transfer STTT'98 (Aalborg, Denmark), 1998. C. Pecheur. Using LOTOS for specifying the CHORUS distributed operating system kernel. Computer Communications, 15(2):93{102, March 1992. M. Sighireanu and R. Mateescu. Veri cation of the Link Layer Protocol of the IEEE-1394 Serial Bus (FireWire): an Experiment with E-LOTOS. Springer International Journal on Software Tools for Technology Transfer (STTT), 2(1):68{88, Dec. 1998. C. Stirling. Temporal Logics for CCS. In J.W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency, LNCS 354, pages 660{672. Springer-Verlag, 1989. REX School/Workshop, Noordwijkerhout, The Netherlands, May/June 1988. M. Thomas. The Story of the Therac-25 in LOTOS. High Integrity Systems Journal, 1(1):3{15, 1994. M. Thomas. Modelling and Analysing User Views of Telecommunications Services. In Feature Interactions in Telecommunications Systems, pages 168{183. IOS Press, 1997. M. Thomas and B. Ormsby. On the Design of Side-Stick Controllers in Fly-by-Wire Aircraft. A.C.M. Applied Computing Review, 2(1):15{20, Spring 1994. Kenneth J. Turner. An architectural description of intelligent network features and their interactions. Computer Networks, 30(15):1389{1419, September 1998. A. Vogel. On ODP's architectural semantics using LOTOS. In J. de Meer, B. Mahr, and O. Spaniol, editors, Proc. Int. Conf. on Open Distributed Processing, pages 340{345, September 1993. 

Calder, M. and Maharaj, S. and Shankland, C. (2001) An adequate logic for full LOTOS. Lecture Notes in Computer Science 2021:pp. 384-395. http://eprints.gla.ac.uk/2873/ Glasgow ePrints Service http://eprints.gla.ac.uk An Adequate Logic for Full LOTOS Muy Calder1, Savi Maharaj2, and Carron Shankland2 Department of Computing Science, University of Glasgow, Glasgow G12 8QQ, UK 1 2 muffy@dcs.gla.ac.uk Department of Computing Science and Mathematics, University of Stirling, Stirling FK9 4LA, UK fsavi,carrong@cs.stir.ac.uk Abstract. We present a novel result for a logic for symbolic transition systems based on LOTOS processes. The logic is adequate with respect to bisimulation de ned on symbolic transition systems. 1 Introduction LOTOS 12] is a popular process description language that has been in use for well over a decade. With the aid of a number of mature veri cation tools, it has been successfully applied in a number of domains, including protocols and services 17], distributed systems 23, 16], and as a semantics for higher level languages such as feature descriptions 22] and use-case maps 1]. A particularly distinctive feature of LOTOS is that it includes a rich set of operators for describing both process control and data, which may in turn aect control. However, much of the foundational work, and subsequently the veri cation tools, has ignored all, or parts, of the data aspect of the language. Speci cally, there is no logic for reasoning about LOTOS processes with unconstrained data. This is a serious drawback since it has long been recognised that a more abstract, temporal logic is essential for describing and checking desired (or undesired) properties of processes 11]. Indeed, experience with case studies 21, 19, 20, 17] has shown the bene ts of having data in the process description language and the need to express properties of a system in terms of data, as well as actions. Often the properties refer to data, but symbolically, rather than mentioning particular instances. For example, in the classical comparator one such property is if process Comp inputs x and y on channel in, and x and y are equivalent, then eventually it will output true on channel out. There has been a good reason to avoid dealing with data properly: in LOTOS, data introduces in nite branching into the underlying state transition systems. For example, the simple process g?x:Nat exit results in an in nite choice, one for each member of Nat. This presents a serious obstacle to reasoning, particularly to approaches based on ( nite) model-checking. Therefore existing approaches have been restricted to Basic LOTOS 13], or LOTOS with only nite data types 6]. Our aim is to provide a complete approach to data. In order to do so, we base our logic on a new semantics for LOTOS which is nitely branching. This is achieved by having a symbolic treatment of data the underlying state transition systems are therefore called symbolic state transition systems (STSs). Our work is heavily inuenced by the symbolic transition systems and logic developed by Hennessy, Lin and Liu for CCS 9, 10]. However, it is signi cantly dierent because of the special characteristics of the STSs that result from LOTOS. These derive from the three (related) features that distinguish LOTOS from most other process algebras: multi-way (broadcast) synchronisation, value negotiation, and selection predicates. Together, these features make the de nition of the similar concepts of symbolic transition, bisimulation and logic, non-trivial. 1.1 Related Work A symbolic approach to message passing CCS is presented in 9] and a related logic in 10]. We adopt the theory of symbolic transition systems here, but the logic is not so useful for our applications. The logic of Hennessy and Liu is based on a late semantics, whereas we adopt an early semantics because the standard de nition of LOTOS 12] is also early. (The late and early classi cation relates to binding time of variables to values.) In addition, the modal operators de ned rely on the classical CCS distinction between ! and ? data oers (i.e. as corresponding to output and input events). In LOTOS the distinction between these two kinds of data oers is not so clear cut. The logic does have the advantage that it is based on symbolic transition systems, and therefore places no arti cial restrictions on data values. CRL 8] is, like LOTOS, a process algebra with data. In 7] an extension of the modal mu-calculus 14] is presented which includes quanti cation over data in the modal operators. The semantics of the logic is over labelled transition systems and therefore is subject to the usual problems of state explosion. The focus of their research is on proof rules for the logic rather than adequacy with respect to some equivalence over CRL processes. The CADP toolkit 6] provides a number of tools to analyse Full LOTOS speci cations, two of which use logic to provide an abstract description of system properties. The tool evaluator takes an alternation free modal mu-calculus 14] formula and assesses its truth with respect to a LOTOS expression. The modal operators are extended to allow more exibility in dealing with actions with data, for example, precise actions or Unix regular expressions can be matched. However, it is not possible to state general predicates on data, such as input a value which is less than 42 but more than 3. The action formulae of this logic treat the values as syntactic entities only, whereas we provide the ability to reason about their semantics too. Also part of the CADP toolkit is XTL 15]. This is an executable temporal language which describes computations over transitions. XTL allows a more general treatment of data actions than the evaluator. For example, variables over data can be declared and matched with actions, and operations over data in the LOTOS source can also be used in the logic. Various logics can be encoded in XTL in fact, we have encoded a restricted form of the logic presented in this paper in XTL and carried out some limited examples. Two important disadvantages of XTL are that the underlying semantics of labelled transition systems is concrete (i.e. fully instantiated) and that CADP must impose niteness restrictions on the data types of the language to obtain tractability. So, any logic encoded by XTL cannot handle Full LOTOS eectively or accurately. 1.2 Structure of the Paper The structure of the rest of this paper is as follows. In Section 2 we introduce the idea of a symbolic transition system, describe how this has had to be adapted for LOTOS, and explain the problem of de ning substitution and how this is solved. In Section 3 we present the syntax and semantics of a modal logic called FULL. In Section 4 we give an alternative characterisation of the equivalence induced by the logic by showing that it coincides with bisimulation on symbolic transition systems. Finally, we discuss further work and conclude in Section 5. 2 Symbolic Transition Systems The standard semantics of LOTOS 12] (labelled transition systems) hard codes concrete data values into the transitions. For example, g!0 P oers the single transition labelled g0], while g?x:Nat P oers the transitions labelled by g0], gsucc(0)], gsucc(succ(0))], (Fig. 1). Thus, event oers of more than one value (i.e. ? oers) correspond to a (possibly in nite) choice over all values of the data type. While this makes the semantics of certain language ::: g?x:Nat;P g0 g1 Fig. 1. g2 gn ... ... Standard semantics of g?x:Nat event o er features easier to describe (particularly multiway synchronisation), it makes reasoning about speci cations more dicult since transition systems are typically in nite. Existing tools such as CADP 6] deal with this problem by imposing niteness restrictions on data types, limiting the natural numbers, for example, to a maximum of 256. An alternative solution is to restate the semantics of the language in a form which exposes the commonalities of actions and the nitary nature of the process speci cation. This can be done by basing the semantics on symbolic transition systems (STSs). These are essentially transition systems whose transitions can have free variables in the data label and are additionally labelled with a transition condition representing the conditions under which that transition is available. This approach was rst introduced in 9] which gave a symbolic semantics for value passing CCS. In our research 4, 3], we have been adapting this theory for use with LOTOS. There are signi cant dierences between LOTOS and value passing CCS which mean that this adaptation is not straightforward. One dierence is that input events in CCS are always unconstrained and there is no analogue of the selection predicates which can be used in LOTOS to restrict the values passed in a ? event. For example, LOTOS allows events such as g?x x > 3] meaning, input an x which is bigger than 3. This means that the transition conditions in the LOTOS semantics need to be able to talk about the data associated with the current transition, whereas in CCS these are concerned only with previous transitions. Another dierence is that in order to implement multi-way synchronisation LOTOS permits synchronisation between any combination of ? and ! events, whereas in CCS an input event (?) can synchronise only with an output action (!). This means that the distinction between ? and ! is much less signi cant in LOTOS than it is in CCS. Essentially, a ! event is associated with an expression using constants and \known" variables while a ? event introduces a new variable. We have found it convenient to remove the !/? distinction from the syntax of data expressions in STSs. We shall still need to be able to tell when a transition introduces a new variable, but this will be determined by comparing the transition's data expression with the free variables of the source of the transition. We shall assume that we have a countable set of variables, Var, ranged over by x, y, etc., and a (possibly in nite) set of values, Val, ranged over by v . We also assume a set of data expressions, Exp, which includes Var and Val and is ranged over by E , and a set of boolean expressions, BoolExp, ranged over by b . We also assume that we have a set of gates, G, ranged over by g . The set of simple events, SimpleEv, ranged over by a , is de ned as G fi, g. (Recall that in LOTOS i is the internal event and  is the special event which takes place when a process is exited.) The set of structured events, StructEv contains all gate-expression combinations gE , as well as all combinations E . Since the two kinds of structured events are handled exactly the same, we shall generally ignore  in this paper, treating it as if it were a member of G. For simplicity, we do not allow structured events consisting of multiple data expressions only singleton data oers are allowed. It is possible, but tedious, to extend our analysis to the case of multiple data oers. Basically, an STS is a directed graph whose nodes are tagged with sets of free variables, and whose branches are labelled with a boolean condition and an event. Formally, the de nition of STS is as follows: Denition 1. (Symbolic Transition Systems) A symbolic transition system consists of: { a set of states, containing a distinguished initial state, T0 , with each state T tagged with a set of free variables, denoted fv (T ). -T, where  2 SimpleEv StructEv and b is a Boolean expression and fv (T )  fv (T ) fv () and fv (b )  fv (T ) fv () and #(fv () ; fv (T ))  1 { a set of transitions written as T b 0 0 Following convention, we shall often identify an STS with its initial state. For example, the set of free variables of an STS S , fv (S ), is de ned as the set of free variables of the initial state of S . A set of rules presented in 4] de ne how a symbolic transition system may be constructed from a LOTOS process expression. The resulting transition system is typically a cyclic graph (if recursive processes are involved) and is always of nite width (since only a nite number of branches may be described in a LOTOS process). This paper is concerned with STSs rather than LOTOS processes, though we shall use LOTOS syntax to describe examples. 2.1 Substitution In the following section we present a logic on symbolic transition systems. Before we can do this, however, we must consider the question of how to de ne substitution on STSs. It is not possible to de ne a straightforward syntactic substitution on STSs because of the presence of cycles (such as might arise from recursive processes). Buff output x tt Buff tt input x Buff’ Fig. 2. tt output x [3/x] input x[3/x] tt Buff’[3/x] Failed substitution on Buff STS Consider, for example, the simple buer Buff = input?x:Nat output!x The STS which corresponds to Buff is shown in Figure 2. If the rst action taken by this process is to input the value 3, then the x at the output gate must also be tied to that value. Since Buff is recursive, we expect that the next time round the loop a dierent value may be input, and therefore a dierent substitution must be applied. However, if we simply substitute 3 for x in the STS, as shown in Figure 2, we fail to capture this possibility. In 9], this problem is solved by introducing the concept of a \term": a node in a symbolic transition system paired with a substitution. The same solution can be adapted for LOTOS. Formally, a substitution is a partial function from Var to Var Val and a term consists of an STS, T , paired with a substitution,  such Buff. that domain ( )  fv (T ). We use t and u to range over terms. For example, since  Buff is closed, it can be paired only with the empty substitution to form the term Buff ] . The substitution is applied step by step, when necessary, as explained in the rules for transitions between terms (Figure 2). For example, below are some possible transitions starting from the term Buff ] . The substitutions capture the fact that the variable x is discarded and then bound afresh upon each pass through the loop, making it possible to process a dierent value during each pass. Buff ] tt Buff'z 1=x ] Buff ] tt - Buff' z =x z- Buff z - Buff' z =x input z 1 tt output 1  1 ] ] and so on. The de nition of free variables is extended to terms in the obvious way. Terms, rather than STSs, are used as the basis for de ning the logic and bisimulation. Denition 2. Transitions on Terms T b a - T implies T b a- T gE - T T b gE- T implies T b  where fv (E )  fv (T ) T b gx- T implies T bz =x ] gz- T z =x ] where x 62 fv (T ) and z 62 fv (T ) In all cases, = fv (T ) C , that is, the restriction of to include only domain elements in the set fv (T ). input 2  2 ] 0  0 0 0 0 0 0 0 0   0 0 0 3 The Modal Logic FULL In this section we present the syntax and semantics of a modal logic de ned over symbolic transition systems. The logic is called Full LOTOS Logic (FULL) and is inspired by the HML presented in 18] and the data extended logic presented in 10]. The logic and the design considerations driving the choice of operators are described fully in 3] here we simply give the syntax and semantics without discussion. FULL is made up of two parts. The rst set of formulae, ranged over by , applies to closed terms. The second set, ranged over by , is to be used for terms with a single free variable, as would arise from a LOTOS process with a single parameter. (The extension to multiple free variables is straightforward but tedious and is therefore omitted). Denition 3. (Syntax of FULL) ::= b j 1 ^ 2 j 1 _ 2 j a ] j ha i j h9x g i j h8x g i j 9x g ] j 8x g ] ::= 9x j 8x        :    :     (Semantics of FULL) Given any closed term t, the semantics of t j=  is given by: t j= b = b tt t j= 1 ^ 2 = t j= 1 and t j= 2 t j= 1 _ 2 = t j= 1 or t j= 2 t j= ha i = there is a t s.t. t tt a - t and t j=  t j= a ] = whenever t tt a - t then t j=  t j= h9x g i = for some value v, either for some t , t tt gv- t and t j= v =x ] or for some t , t b gz- t and b v =z ] tt and tv =z ] j= v =x ] t j= h8x g i = for all values v, either for some t , t tt gv- t and t j= v =x ] or for some t , t b gz- t and b v =z ] tt and tv =z ] j= v =x ] t j= 9x g ] = for some value v, whenever t tt gv- t then t j= v =x ] and whenever t b gz- t and b v =z ] tt then tv =z ] j= v =x ] t j= 8x g ] = for all values v, whenever t tt gv- t then t j= v =x ] and whenever t b gz- t and b v =z ] tt then tv =z ] j= v =x ] Given any term t with one free variable z the semantics of t j=  is given by: t j= 9x : = there is some value v such that tv =z ] j= v =x ] t j= 8x : = for all values v, tv =z ] j= v =x ] Denition 4. 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A property of FULL is that for every formula it is possible to construct the negation, neg , of that formula. (We assume that negation is available in the underlying language of boolean expressions.) For example, neg (8x g ] ) is h9x g ineg ( ). To each formula in FULL is associated a depth, n , which is de ned in the obvious inductive way.   4 Bisimulation and Adequacy of FULL In developing the logic FULL we were motivated by two goals. The rst was to develop a logic which allowed properties concerning data to be expressed in a natural way. The second was to ensure that the logic was adequate with respect to other notions of equivalence between processes, in the sense that equivalent processes should satisfy the same set of logical formulae. One important relationship between processes is that of bisimulation. In this section we show how bisimulation is de ned upon terms and prove that FULL is adequate with respect to bisimulation. We shall assume we have a function new (t u ) which, given two terms t and u , returns a variable which is not among the free variables of either t or u . Denition 5. Bisimulation on terms Given two closed terms t and u, 1. t 0 u 2. for all n > 0, t n u provided that: (a) (simple event) whenever t tt a- t , then for some u , u tt a- u and t n 1 u (b) (structured event, no new variable) whenever t tt gv- t , then either for some u , u tt gv- u and t n 1 u or for some u , u b gz- u and bu v =z ] tt and t n 1 uv =z ] , where z = new (t u ). (c) (structured event, new variable) whenever t b gz- t , where z = new (t u ), then, for all v s.t. bt v =z ] tt, either for some u , u tt gv- u and tv =z ] n 1 u or for some u , u b gz- u and bu v =z ] tt and tv =z ] n 1 uv =z ]. (d), (e), (f) Symmetrically, the transitions of u must be matched by t. Given two terms t and u with free variables fx g and fy g, respectively, t n u provided that for all values v, tv =x ] n uv =y ]. The four theorems which follow show that FULL is adequate with respect to bisimulation. Theorems 1 and 2 give the result for closed terms, and are then used to prove the result for terms of one free variable (Theorems 3 and 4). Theorem 1. (FULL distinguishes non-bisimilar closed terms) For all n, for all closed terms t and u, if t =n u then there is a formula  such that t j=  and u j==  Proof The proof is by induction on n. If n = 0 then the result is vacuously true. In the case where n > 0, we examine all the ways in which bisimulation can fail and, in each case, construct a formula which is satis ed by t but not by u. We shall illustrate the construction by showing the case where rule (c) of De nition 5 fails. The other cases are simpler and are omitted. If rule (c) fails, then there is a transition t b gz- t , where z = new (t u ), but there is some value v such that bt v =z ] tt and for all transitions of the form u tt gv- u , tv =z ] =n 1 u , and for all transitions of the form u b gz- u where 0 0 0 0 ; 0 0 0 0 ; 0 0 0 u 0 0 0 ; 0 0 t 0 ; 0 0 0 ; 0 u t 0 0 0 0 ; 0 u 0 0 bu v =z ] tt, tv =z ] =n 1uv =z ] . Suppose that that there are k of the rst kind of transition and m of the second kind, where k and m are natural numbers. Then, by the induction hypothesis, each of the ui s of the rst kind can be distinguished from tv =z ] by some formula i , and for each of the ui s of the second kind, there is a formula i which distinguishes tv =z ] from V ui v =z ] . Then, V t and u can be distinguished by the formula 9g x ](x = v ) ^ f1 :::k g ^ f 1 ::: m g. 0 0 ; 0 0 0 0 0 Theorem 2. (Bisimilar closed terms satisfy the same formulae) For all n, for all closed terms t and u, if t n u then, for all formulae such that depth  n, t j if and only if u j . Proof The proof is by induction on n. If n , then the formula must be of depth , and must therefore be a simple boolean b. By the semantics of FULL, it is clear that for any t and u, t j b i u j b.  =  () =  = 0  0 = = In the case where n > 0, we take any t and u and assume that t n u. We must show that for all formulae  such that depth ()  n, t j=  if and only if u j= . This is done by induction on the structure of . There are 9 cases to consider. We illustrate the arguments used by showing one of the most complex cases: Consider the case where  is of the form 8x g ] . Suppose that t j= . Then, by the semantics of FULL, for all values v, whenever there is a t such that t tt gv- t then t j=  v =x ], and whenever there is a t such that t b gz- t (for some new variable z) and bt v =z ] tt then tv =z ] j=  v =x ]. We must show that u j= . Take any value v. We must consider all u transitions on v. These can be of two kinds: Case (1) Suppose there is a transition of the form u tt gv- u . By bisimilarity, this is matched by a t transition. There are two possibilities. The matching transition may be of the form t tt gv- t , where t n 1 u . Then, we know that t j=  v =x ] and, by the main induction hypothesis, we get that u j=  v =x ]. The matching transition may be of the form t b gz- t , where z = new (t u ) and bt v =z ] tt and tv =z ] n 1 u . Then, we know that tv =z ] j=  v =x ] and, by the main induction hypothesis, we get that u j=  v =x ]. Case (2) Suppose there is a transition of the form u b gz- u , (for some fresh z) and bu v =z ] tt. We wish to show that uv =z ] j=  v =x ]. Now, since z is fresh, we can replace z by z where z = new (t u ). In other words, we are looking instead at the transition u b z =z ] gz- uz =z ] . For this transition, we get that bu v =z ] tt. And, we need to show that uv =z ] j=  v =x ]. By bisimilarity, this transition is matched by a t transition. There are two possibilities. The matching transition may be of the form t tt gv- t , where t n 1 uv =z ] . Then, we know that t j=  v =x ] and, by the main induction hypothesis, we get that uv =z ] j=  v =x ]. 0 0 0 0 0 0 0 t 0 0 0 0 0 0 0 0 0 t 0 0 ; 0 0 0 0 0 u 0 0 0 0 0 u 0 0 0 0 0 0 0 0 0 0 0 ; 0 0 0 0 0 ; 0 0 The matching transition may be of the form t b gz- t , where bt v =z ] tt and tv =z ] n 1 uv =z ] . Then, we know that tv =z ] j=  v =x ] and, by the main induction hypothesis, we get that uv =z ] j=  v =x ]. t 0 0 0 ; 0 0 0 0 0 0 0 0 0 0 Theorem 3. (FULL distinguishes non-bisimilar open terms) For all n, for all terms t and u with one free variable, if t n u then there is a formula such that t j= and u j= . Proof Suppose that the free variables of t and u are z1 and z2, respectively. Since t n u, then there is some value v such that tv =z1 ] n Uv =z2 ]. By Theorem 1 there is then a formula such that tv =z1] j= but uv =z2 ] j= . We construct the formula = 8 x (x = 6 v ) _ . Then, t j= but u j= . Theorem 4. (Bisimilar open terms satisfy the same formulae) For all n, for all terms t and u with one free variable, if t n u then, for all such that depth ( )  n, t j= if and only if u j= . Proof This is a straightforward consequence of Theorem 2. =   =  = =   :    =  =    5   Further Work The results presented in this paper provide a foundation upon which to build a system for verifying properties of speci cations in Full LOTOS. In this section we discuss the further work, both theoretical and practical, which needs to be done to realise this goal. Extensions of the Logic The logic we have developed is relatively sparse, and there are several useful ways in which it could be extended and made more expressive. However, care must be taken to ensure that this is not done at the expense of adequacy. Two important features which we intend to focus upon are ways of handling multi-sorted data, and xpoint operators to handle recursion. User-de ned algebraic datatypes are an important and heavily used feature of LOTOS so it is essential to extend FULL to deal in some way with multiple data types. One obvious way of doing this is to encode types as predicates over values. The details of this need to be worked out and alternative solutions explored. Recursion is another heavily-used feature of LOTOS, and the usefulness of FULL would be signi cantly enhanced by the addition of xpoint operators for reasoning about recursive or in nitary behaviour. This is a topic which has been much studied in the theory of concurrency and we hope to be able to adapt existing solutions to the needs of LOTOS. Further Theoretical Analysis Some areas of the theory underlying symbolic transition systems for LOTOS are as yet incomplete. For example, the relationship between our symbolic semantics and the standard semantics of LOTOS has not yet been fully analyzed. We conjecture that the two semantics coincide for closed terms, in the sense that bisimilar terms in the symbolic semantics correspond to bisimilar processes in the standard semantics. The details of this remain to be checked. Another interesting area of study is symbolic bisimulation. The bisimulation presented in this paper is of limited practical use because it requires a possibly in nite number of values to be examined (cf rules 2(c) and 2(f) of De nition 5). This problem can be solved by turning to symbolic bisimulation, as introduced in 9]. Symbolic bisimulation solves the problem of in nite values by dividing the value space that must be examined into a nite number of partitions described by boolean expressions. We have de ned symbolic bisimulation for LOTOS 4] and are working on its theoretical underpinnings and the development of a bisimulation-checking tool to support it. Algorithms and Tools The eventual goal of this research is the development of tools to support reasoning about speci cations in Full LOTOS. Work is in progress on the development of algorithms for reasoning within FULL. In tandem with this, there is also work on the implementation of tools to support reasoning in FULL. At the present time, a restricted version of the logic has been implemented in CADP. The logic is also being implemented in the Ergo theorem prover 2] and in the Maude system 5]. Acknowledgement. The authors would like to thank the Engineering and Physical Sciences Research Council and the Nu eld Foundation Newly Appointed Lecturer scheme for supporting this research. References 1. D. Amyot, L. Char et al. Feature Description and Feature Interaction Analysis with Use Case Maps and LOTOS. In M. Calder and E. Magill, editors, Feature Interactions in Telecommunications and Software Systems VI. IOS Press, May 2000. 2. H. Becht, A. Bloesch et al. Ergo 4.1 Reference Manual. Technical Report 9631, Software Veri cation Research Centre, University of Queensland, Australia, November 1996 3. M. Calder, S. Maharaj, and C. Shankland. A Modal Logic for Early Symbolic Transition Systems. The Computer Journal, 2001. To appear. 4. M. Calder and C. Shankland. A Symbolic Semantics and Bisimulation for Full LOTOS. To appear as a University of Stirling Technical Report, 2000. 5. M. Clavel, F. Duran et al. Maude: Speci cation and Programming in Rewriting Logic. Maude System documentation. Computer Science Laboratory, SRI, Menlo Park, California, March 1999. 6. J-C. Fernandez, H. Garavel et al. CADP (CAESAR/ALDEBARAN Development Package): A Protocol Validation and Veri cation Toolbox. In R. Alur and T.A. Henzinger, editors, Proceedings of CAV'96, number 1102 in Lecture Notes in Computer Science, pages 437{440. Springer-Verlag, 1996. 7. J.F. Groote and R. Mateescu. Veri cation of Temporal Properties of Processes in a Setting with Data. In Proceedings of the 7th International Conference on Algebraic 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. Methodology and Software Technology AMAST'98, Amazonia, Brazil, volume 1548 of Lecture Notes in Computer Science, pages 74{90, 1999. J.F. Groote and A. Ponse. The Syntax and Semantics of -CRL. In Proceedings of Algebra of Communicating Processes, Utrecht 1994, Workshops in Computing. Springer-Verlag, 1995. M. Hennessy and H. Lin. Symbolic Bisimulations. Theoretical Computer Science, 138:353{389, 1995. M. Hennessy and X. Liu. A Modal Logic for Message Passing Processes. Acta Informatica, 32:375{393, 1995. M. Hennessy and R. Milner. Algebraic Laws for Nondeterminism and Concurrency. Journal of the Association for Computing Machinery, 32(1):137{161, 1985. International Organisation for Standardisation. Information Processing Systems | Open Systems Interconnection | LOTOS | A Formal Description Technique Based on the Temporal Ordering of Observational Behaviour, 1988. C. Kirkwood. Specifying Properties of Basic LOTOS Processes Using Temporal Logic. In G. v Bochmann, R. Dssouli, and O. Ra q, editors, Formal Description Techniques, VIII, IFIP. Chapman Hall, April 1996. D. Kozen. Results on the Propositional -Calculus. Theoretical Computer Science, 27:333{354, 1983. R. Mateescu and H. Garavel. XTL: A Meta-Language and Tool for Temporal Logic Model-Checking. In Proceedings of the International Workshop on Software Tools for Technology Transfer STTT'98 (Aalborg, Denmark), 1998. C. Pecheur. Using LOTOS for specifying the CHORUS distributed operating system kernel. Computer Communications, 15(2):93{102, March 1992. M. Sighireanu and R. Mateescu. Veri cation of the Link Layer Protocol of the IEEE-1394 Serial Bus (FireWire): an Experiment with E-LOTOS. Springer International Journal on Software Tools for Technology Transfer (STTT), 2(1):68{88, Dec. 1998. C. Stirling. Temporal Logics for CCS. In J.W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency, LNCS 354, pages 660{672. Springer-Verlag, 1989. REX School/Workshop, Noordwijkerhout, The Netherlands, May/June 1988. M. Thomas. The Story of the Therac-25 in LOTOS. High Integrity Systems Journal, 1(1):3{15, 1994. M. Thomas. Modelling and Analysing User Views of Telecommunications Services. In Feature Interactions in Telecommunications Systems, pages 168{183. IOS Press, 1997. M. Thomas and B. Ormsby. On the Design of Side-Stick Controllers in Fly-by-Wire Aircraft. A.C.M. Applied Computing Review, 2(1):15{20, Spring 1994. Kenneth J. Turner. An architectural description of intelligent network features and their interactions. Computer Networks, 30(15):1389{1419, September 1998. A. Vogel. On ODP's architectural semantics using LOTOS. In J. de Meer, B. Mahr, and O. Spaniol, editors, Proc. Int. Conf. on Open Distributed Processing, pages 340{345, September 1993.